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SECTION 1 


INTRODUCTION 

This report presents the results of Task 8 of NASA contract NAS1-17411, 
"Automatic Control Design Procedures for Restructurable Aircraft Controls." 

The purpose of this task was to integrate the control redesign and automatic 
trim procedures which have been developed [1]* with the failure detection/ 
identification (FDI) algorithms being developed under contract no. NAS1-18004, 
[2] . The output of this task was a Fortran program that implemented a com- 
plete restructurable flight control system (RFCS) on NASA f s modified B-737 
aircraft simulation for a single flight condition. This report documents the 
development of this prototype RFCS, discusses the results of simulations at 
NASA, and draws some conclusions. Table 1-1 shows the breakdown of the entire 
project by task. 

Until now, the individual components of a prototype RFCS have been 
developed independently under two contracts (NAS1-17411 and NASL-18004) to 
ALPHATECH, Inc. (see [1],[2]). While much interaction between these efforts 
has taken place, the details of integrating these components were not ini- 
tially addressed. The independent work provided opportunity for greater depth 
in the research efforts and detailed analysis of the capabilities and limita- 
tions of the various subsystems. These initial efforts have been combined in 


^References are indicated by numbers in square brackets, the list appears at 
the end of the main body of this report. 
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this effort in order to evaluate the overall system concept, and to determine 
the need for additional functionality. 

TABLE 1-1. TASK BREAKDOWN FOR NASA CONTRACT NO. NAS1-17411 


Task 1 Development of an Automatic Control Design Procedure 
for Restructurable Controls 

Task 2 Flight Control Design Demonstration 

Task 3 Application to an Aircraft with a Single Failure 

Task 4 Reporting 

Task 5 Perform a Complete Linearized Evaluation of the 
Automatic Design Algorithm 

Task 6 Apply the Automatic Design Algorithm to a Nonlinear 
Simulation Model 

Task 7 Extend the Restructuring Algorithm to Include Linear 
and Nonlinear Trim 

Task 8 Integrated Automatic Control and FDI Designs 


1 . 1 BACKGROUND 

As aircraft become increasingly sophisticated, and as static stability 
is decreased in the interests of efficiency and maneuverability, the poten- 
tial damage caused by unanticipated failure increases dramatically. Although 
pilots can be trained to react in the case of anticipated major failures, 
they cannot be expected to respond correctly, and in time, for all conceiv- 
able failures. This is particularly frustrating because modern aircraft, 
with complex controls, may remain controllable despite individual failures, 
as happened recently in two well publicized cases. In one case, (a Delta . 
L-1011 flight [3]) the pilot was able to reconfigure his available controls 
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to save the plane. In another, (the Chicago DC-10 crash [4]) the pilot could 
not, although hindsight revealed the plane probably could have been saved. 

The objective of a res tructurable flight control system (RFCS) is to 
solve automatically and quickly the control problem facing a pilot during an 
emergency. The class of problems of interest includes those where the fail- 
ure or failures are unanticipated, but excludes those unsolvable areas (total 
wing separation) where the plane cannot be saved. 

The development of an automatic RFCS is best viewed as a problem in 
failure accommodation. That is, we wish to design a flight control system 
that is tolerant of those failure modes that cannot adequately be handled by 
the pilot in an emergency. As indicated in Fig. 1-1, this fault-tolerant 
operation can be achieved either passively (through the use of robust control 
laws) or actively (through FDI and control reconfiguration). 


FAILURE 

ACCOMMODATION 



ROBUST FAILURE CONTROL 

CONTROL DETECTION & RECONFIGURATION 

IDENTIFICATION 

R-2963 

Figure 1-1. Failure Accommodation Decomposition 

Passive fault tolerance can be thought of as robustness — the aircraft 
with its normal flight control system (including the pilot) can tolerate 
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certain failures without modification* Other failures, however, may be too 
severe for the normal (i.e., any acceptable normal) controller to handle, and 
thus require active system modification. This modification involves (implic- 
itly or explicitly) two processes: 1) failure detection and identification 

(including identification of a post-failure system model) and 2) control 
system reconfiguration in light of the identified failure* 

Figure 1-2 provides a functional description of a RFCS which exploits 
both passive and active failure accommodation technologies* The system con- 
sists of a robust multivariable flight control system, a failure detection 
and identification algorithm and a procedure for automatic control system 
redesign. 
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Figure 1-2. RFCS Component Decomposition 
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The robust multivariable flight control system is used in the RFCS to 
achieve a high degree of passive fault tolerance to "minor" failures, and to 
provide a safety margin for "major" failures so that the active components 
have time to operate* To achieve this, the control design must exploit the 
inherent control redundancy in the aircraft in order to minimize the effects 
of actuator failures and other damage* It is, however, unlikely that a robust 
control system alone will be sufficient to handle the wide range of failure/ 
damage modes that must be accommodated* Even if possible, passive accommoda- 
tion could require infeasibly high loop gains and bandwidths, might compromise 
the performance of the unfailed aircraft, or could require unnecessarily com- 
plex FCS hardware* Nonetheless, a properly designed robust flight control 
system applied to the unfailed aircraft will be able to handle the less severe 
failure/damage modes and will lengthen the time available for reconfiguring 
the FCS. 

The more severe failure/damage modes will require a reconfiguration of 
the FCS* As indicated in Fig. 1-2, reconfiguration is initiated by a FDI 
system that must detect all conditions that may potentially lend to emergency 
conditions as well as identify the remaining control capability of the failed 
aircraft. The problems of false alarms and missed detections in the FDI sys- 
tem are minimized due to the existence of a robust nominal control system. 

As noted above, the nominal control system is designed to handle as many as 
possible of the failure/damage conditions. The FDI system is then required 
to handle only failure/damages that severely impact performance. As the 
severity of the impact of a failure on the aircraft performance increases, 
the urgency of reaction increases and the time available to reconfigure 
decreases. However, this trend is compensated by the corresponding increase 
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in the signature of the failure, which reduces the time needed by the FDI 
system to respond. This phenomenon, coupled with the effects of the robust 
control system and robust FDI design techniques, should allow a properly 
designed FDI system virtually to eliminate the problem of false alarms and 
missed detection. 

The last component in Fig. 1-2, the automatic redesign module (ARM), 
uses the information about failures provided by the FDI system to modify the 
nominal robust FCS. To be effective, the new control system must be able to 
reconstruct the desired forces and moments as much as possible given the pres- 
ence of large disturbances due to failures and, very importantly, constraints 
on the control system (e.g., actuation limits, bandwidth limits, etc.) Since 
control system constraints were important in the design of the nominal robust 
control system, the engineering tradeoffs that went into that design should 
be reflected in the new control design. Furthermore, the ARM should be tol- 
erant of FDI limitations. Incorporation of FDI uncertainty into the redesign 
procedure will allow the new control system to hedge against imperfectly 
detected or isolated failures. Finally, graceful degradation of performance 
as the severity of failure increases should be a property of the ARM and can 
be obtained by ensuring that the nominal control system is recovered by the 
ARM when no failures are present. 

Figure 1-3 presents the prototype RFCS that has been developed for this 
project with the above issues in mind. Control of the aircraft is effected 
through a dynamic feedback compensator that nominally provides command fol- 
lowing, disturbance rejection, and stability augmentation for the unfailed 
aircraft without violating the constraints of the actuation mechanisms. In 
addition, a certain degree of passive fault tolerance is achieved by spreading 
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the control authority amongst many independent control elements. This results 
in the nonstandard use of standard control surfaces (e.g., collective aileron 
deflection) and implies a potential for increased safety from future develop- 
ment of nonstandard control surfaces. 



R-4835 


Figure 1-3. Restructurable Control System 


The purpose of the FDI system is to monitor the aircraft reliably and to 
indicate the presence of conditions which are beyond the capabilities of the 
normally configured system. Such a system must be general enough to respond 
to a variety of failure modes (including those that would not degrade system 
performance for maintenance purposes) yet be maximally sensitive to those 
failures that are of critical importance. In terms of flight-safety and 
overall aircraft survivability, it seems obvious that changes in the control 
authority of any control element are most important. However, since any 
FDI system must use sensors of some kind, the ability to respond to sensor 
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failures becomes critical in terms of the operational reliability of the FDI 


system. Thus, both control element failures and sensor failures should be 
handled explicitly in the FDI system to ensure maximal FDI performance during 
these failure conditions. Other failure modes may need to be detected (e.g., 
nonflight-critical equipment, small aerodynamic changes); however, less 
explicit information is needed in these cases in order to effect a useful 
control redesign. 

Finally, redesign of the control system is accomplished through two 
functions that make maximal use of the information that is potentially avail- 
able from a failure detection and identification algorithm. The feedback con- 
trol redesign procedure discussed in [1] is based on the linear quadratic (LQ) 
design procedure and attempts to recover as much performance as possible (as 
measured by the return difference function) while maintaining the actuator 
bandwidth constraints that were present (either explicitly or implicitly) in 
the original feedback control design. The automatic trim system makes use of 
the observable parts of the disturbances that exist following a failure by 
feeding forward a control solution that is a function of the desired steady- 
state outputs and the observed disturbance. Since the disturbance must be 
observed/estimated after the failure occurs, and since it may take on a con- 
tinuum of values, the automatic trim problem must be solved on-line. 

1.2 SUMMARY 

The purpose of this study was to examine the complementary capabilities 
of several restructurable flight control system (RFCS) concepts through the 
integration of these technologies into a complete system. Performance issues 
were addressed through a re-examination of RFCS functional requirements, and 
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through a qualitative analysis of the design issues that, if properly addressed 
during integration, will lead to the highest possible degree of fault-tolerant 
performance* Software developed under previous phases of this contract and 
under NAS1-18004 was modified and integrated into a complete RFCS subroutine 
for NASA's B-737 simulation* The integration of these modules involved the 
development of methods for dealing with the mismatch between the outputs of 
the failure detection module and the input requirements of the automatic 
control system redesign module* The performance of this demonstration system 
was examined through extensive simulation trials* 

In Section 5 we present details of an RFCS design for a modified B-737 
aircraft. This RFCS includes functional elements to detect and isolate 
aircraft-path and actuator-path control element failures, to redesign the 
feedback compensator after a failure has been detected, and to retrim the 
aircraft when significant measurable disturbances are present* The RFCS did 
not include any function to estimate remaining control effectiveness or to 
estimate (rather than measure) significant disturbances. 

Extensive tests using NASA’s nonlinear 6-DOF simulation were made. These 
tests were aimed at examining the impact of FDI delays and incomplete FDI 
decisions as well as examining the recovery capability of the compensator 
redesign and retrim algorithms. In all, over 40 simulation runs were made. 

A discussion of several specific runs is given in subsection 5*2. Subsection 
5.3 provides a general summary of the results and Section 6 concludes with 
suggestions for further work. We believe that the key conclusions are: 

1. Reconfiguration can provide a mechanism for failure recovery 
that fully utilizes the remaining (post-failure) control 
authority and achieves a high degree of fault-tolerance, even 
for major failures. 
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2. 


The RFCS demonstrated in this report performed quite well. 
Failure detection was accomplished with delays that were more 
than adequate for good failure recovery. Redesigned compen- 
sators provided improved stability augmentation and new trim 
solutions allowed recovery from the severest failures. 

3. The automatic recovery procedures, especially in some of the 
severe failure cases, are somestimes contrary to traditional 
pilot training (e.g., reduce throttle at high pitch-up and 
slowing airspeed conditions). This is not unexpected since 
training cannot anticipate all types of failures, whereas 
the RFCS is designed to solve these previously-unanticipated 
problems. Note that the "expert-system" approach to recon- 
figuration is frequently based on pilot training, shown here 
to be an inadequate solution in some cases. 

4. Proper design of the nominal flight control system can result 
in large degrees of passive fault tolerance and, thereby, make 
the FDI system design substantially easier (i.e., detection 

of "large" failures can be made with more reliability (higher 
detection and lower false alarm probabilities)). 

5. Highly fault-tolerant RFCS design can be achieved only if the 
various functions (ARM, FCS, FDI) are complementary. Analysis 
methods that allow characterization of FCS failure-robustness 

in terms of FDI performance specifications, and other integrated 
design and analysis methods need to be developed. 
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SECTION 2 


REVIEW OF RFCS TECHNOLOGY DEVELOPMENTS 

The purpose of the work described in this report was to assess the 
capabilities of the RFCS technologies developed by ALPHATECH under contracts 
NAS1-18004 and NAS1-17411 by integrating them into a complete restructurable 
control system- This section briefly describes the technologies to be inte- 
grated- Further details are available in [1] and [5] • 

The overall RFCS shown in Fig. 1-2 is broken down into three functional 
elements; Failure Detection and Identification (FDI) , a robust multivariable 
Flight Control System (FCS), and an Automatic (control system) Redesign Module 
(ARM). The ARM is composed of a feedback compensator redesign algorithm and a 
feedforward re-trim algorithm. 

Robust multivariable flight control technology has been developed exten- 
sively over the last 20 years and will not be discussed in this section. 
However, it is important to note that for fault tolerance, both stability and 
performance robustness are important. Thus, the notion that one must trade- 
off nominal performance and robustness in the design of a FCS system is only 
partially true (it applies to stability robustness but not to performance). 

In addition, pilot-in-the loop concerns further modify this "classical" 
tradeoff notion (since large FCS stability margins sometimes adversely affect 
handling qualities). In this project we utilized the LQ methodology for the 
baseline FCS design (the compensator redesign algorithm is based on LQ ideas 


11 



also). Thus, the conclusions drawn about passive FCS fault-tolerance are all 
for LQ designs (known to have good theoretical stability margins). Explora- 
tion of fault tolerant capabilities of other design methods is a suggested 
area of further study. 

The remainder of this section outlines the basic ideas and capabilities 
of the FDI system, the compensator redesign algorithm and the ret rim algo- 
rithm. First, however, a brief description of the failure modes of interest 
is given. 

2 . 1 FAILURE MODELS 

The RFCS technologies described in this section are capable of dealing 
with a broad class of failures. We have limited this study to control element 
failures because of their criticality. In general, we can describe virtually 
any control element failure as follows. Let 6 C , d a , and <5 e be a commanded 
control value, an actuator output, and an effective control value, respec- 
tively (see Fig. 2-1). Both normal and failed operation of a control element 
are described by, 

6 a (s) = A(s)6 c (s) + d a (s) (2-1) 

S e (s) = E(s)6 a (s) + d e (s) (2-2) 

where s denotes the Laplace transformation variable. Under ideal no-failure 
circumstances E(s) = 1, d a (s) - d e (s) - 0 and A(s) represents the unfailed 
dynamics of the actuator. 

Specific actuator-path failures can be defined by different values for 
A(s) and d a (s) as shown in Table 2-1. 
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Figure 2-1* Measurement Configuration and Analytic Redundancy Implications 

TABLE 2-1. ACTUATOR-PATH FAILURE MODELS 
Stuck A = 0 d a (t) a constant 

Floating A = 0 d a (s) * K(s) * (local angle of attack) 

Runaway A = 0 <* a (t) = slewed to control limit 

Specific aircraft-path failures can be defined by different values of 
E(s) and d e (s). Common definitions of aircraft-path failures are shown in 
Table 2-2. 

TABLE 2-2. AIRCRAFT-PATH FAILURE MODES 
Stuck E = 0 d e (t)= constant 

Floating E = 0 d e (s) = K(s) * (local angle of attack) 

Partial E < 1 d e = 0 or. 

Loss 

d e = (l-E)K(s) * (local angle or attack) 
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Note that most actuator path failures result in zero control authority (A=0) 
whereas some commonly discussed aircraft-path failures have nonzero effec- 
tiveness (E*0). This situation will have an impact on how the FDI results 
are interpreted for use by the control redesign procedure. 

2.2 FAILURE DETECTION AND IDENTIFICATION (FDI) 

The FDI algorithm that was developed under contract no. NASl-18004 
focused on the general problem of detecting and identifying control element 
failures. This focus stems not only from the fact that such failures can 
result in emergency conditions, but also because any restructurable control 
system is limited in its ability to respond to emergency conditions by the 
amount of remaining control authority. Thus, the FDI system must detect such 
failures and identify the remaining control authority. The algorithm devel- 
oped in NASl-18004 (see [5]) maximizes the sensitivity to control element 
failures by explicitly including appropriate failure hypotheses in its 
operation. 

Figure 2-1 describes the information flow which is available for FDI 
for an assumed measurement configuration. The figure first shows several par- 
allel actuator paths in which failures of each actuator can be independently 
detected through the use of the analytical redundancy which is embedded in the 
independent actuator models. That is, " actuator-path" failures can be deteced 
by comparing a predicted actuator output (based on the measured input, 6 C , and 
an actuator model) with the measured output, 6 m * 

Although many control element failure modes are covered by such compari- 
sons, there are other failures modes which are not. This is also illustrated 
in Fig. 2-1. In particular, when an effective control value (i.e., the 
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control value which actually moves the airplane) differs from the measured 
output of the actuator, then a control element failure also exists. These 
failures can be detected by the use of the analytical redundancy which is 
embedded in an aircraft model. That is, " aircraf t-path" failures can be 
detected by comparing the measured motion variables (which are a function of 
the aircraft states) with a prediction of these variables based on the control 
measurements. 

Clearly, from the figure, all control element failures could be detected 
using an aircraft model that includes the actuator models thereby eliminating 
the need for actuator output measurements and reducing the cost and weight 
associated with the sensor hardware and redundancy management. However, the 
parallel actuator-path FDI algorithms are very simple and reliable. As a 
result, the FDI system developed in [5J contains independent actuator-path 
and aircraft-path algorithms. 

The structure of both actuator- and aircraft-path FDI systems developed 
in [5] involves a monitoring or trigger process and a verification and/or 
isolation process. The trigger process is used to reject the hypothesis of 
normal operation and to trigger the verification and isolation processes which 
reject false triggers and identify the source of a failure. This structure is 
used to achieve performance advantages which approach the performance of known 
onset-time algorithm without undue complexity. The advantages include greater 
failure sensitivity, lower false alarm rates, and shorter detection delays. 

2.2.1 Aircraft-Path Subsystem 

The aircraft-path trigger was designed to make the probability of missing 
a critical failure small. Thus, each failure mode has an explicit trigger 
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function that is optimized for triggering under the corresponding failure 
mode. Each trigger satisfies the condition that IF a particular "minimal" 
failure occurs, THEN the corresponding trigger test will "pass.” Since the 
converse is not necessarily true and since false triggers are possible, 
verify and isolate tests are performed. 

The verify and isolate tests are binary-hypothesis sequential tests, and 
are designed so that failures that are larger than some minimal value will be 
detected and isolated in shorter time periods. If these tests reach a maximal 
time limit, no decision (in favor of either hypothesis) is made. 

The isolation process recognizes the fact that only the rejection of 
failure mode hypotheses is possible when detailed signature information is not 
used (as is the case in [5]). This fact results, in principle, in a matrix 
of isolation tests, each designed to reject a failure mode with maximal sen- 
sitivity to another failure mode. Although this structure appears complex, 
it guarantees optimal performance for every failure mode and allows detailed 
analysis and optimization of each part of the system. In practice, the off- 
diagonal tests in this isolation matrix were combined for efficiency. Also, 
in principle, only those failure modes which are in the "trigger-implied 
ambiguity group" need to be isolated, although in practice all failures were 
considered as possible following any trigger. To declare a failure, all iso- 
lation tests must "vote" in favor of that failure, although alternate decision 
mechanisms are described in Section 3. 

2.2.2 Actuator-Path Subsystem 

The character of the actuator residuals (all actuator failure directions 
are mutually orthogonal) resulted in one actuator-path subsystem for each 
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actuator failure. Thus, no isolation process was needed. These subsystems, 
like the aircraft-path subsystem, also used a trigger/verif y structure to 
"solve" the unknown onset time problem. Two decision processes were created 
and tested; a fixed threshold and a varying threshold algorithm. 

The fixed threshold algorithm was designed to accommodate the observed 
low frequency behavior in each residual, sensor noise, and other high 
frequency errors. The result of a trigger crossing its threshold is the ini- 
tiation of a sequential verify test. If the verify test passes, the corre- 
sponding control element is declared as failed. If a verify fails, a "false 
trigger" is declared. Because fixed thresholds were used to accommodate low 
frequency errors, the sensitivity to actuator path failures was higher than 
originally expected (though by no means unacceptable). 

The varying threshold algorithm was based on the concept derived in [5] 
for single-input, single-output systems with transfer function errors. It 
assumed that all transfer function errors were high frequency relative errors. 
Observations clearly indicated that this was not the case, and consequently, 
this decision process did not perform as well as expected. Further work in 
this area is needed before substantive conclusions can be drawn. For this 
study, the fixed threshold algorithm was used. 

2.3 AUTOMATIC CONTROL SYSTEM REDESIGN PROCEDURES 

The automatic redesign procedures (auto-trim and compensator redesign) 
developed in this project focused on incorporating all likely sources of 
information about the failed aircraft into the redesigned control system. 

The auto— trim algorithm utilizes information (linear models) about the 
desired (unfailed) operating point, the remaining control authority, and any 
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measurable disturbances (e.g., the effect of a stuck off-centered control 
surface) to re-solve for a new trim condition. The compensator redesign algo- 
rithm also uses linear models for the desired operating point and remaining 
control authority information. It also utilizes information about control 
bandwidths that is embedded in state and control weights for an LQ ’‘basis- 
compensator" (i.e., the compensator resulting from execution of the redesign 
algorithm with an unfailed aircraft model)* New control gains that ensure 
robust stability and maximize command following performance, are then output 
from the algorithm following a detected and isolated failure. 

To be specific we assume, In both the feedback control redesign problem 
and the automatic trim problem, that a desired equilibrium point of the 
unfailed aircraft is given and a linear model of the failed aircraft at that 
operating point is available. That is, we assume that after a failure, the 
behavior of the aircraft is modeled by 

Xp = Axp + Blip + W p + 5 (2-1) 

where x p is the perturbation of the state vector from the unfailed equilibrium 
value Xq, Up is the perturbation of the control vector from u 0 , w p is a vector 
of known or measurable disturbances, and £ is an unknown disturbance. The 
state transition and control effectiveness matrices (A,B) model the dynamics 
of the failed aircraft. 

2.3.1 Auto Trim 

For constant nonzero disturbances w p (e.g., a stuck control surface), 
the trim solution (x p , u p ) = 0 is clearly no longer an equilibrium point for 
Eq. 2-1. The trim problem is formulated to find a new desirable equilibrium 
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point for Eq. 2-1, subject to travel constraints on the control elements. In 
addition, we impose the constraint that the new equilibrium states be within 
the region of validity for the linear model, and that no other important state 
constraints are violated (e«g«, minimum air speeds). When a solution to the 
problem does not exist, we wish to minimize the departure from some desirable 
conditions, subject to the same constraints. 

Mathematically, the trim problem is formulated as follows. Let the 
desired conditions, y<j, be represented by. 


Cx p = ya 


(2-2) 


Constraints on the controls and states can usually be given by simple 
bounds, viz-. 


x L < x P < Xy 
UL < U P < Uy 


(2-3) 


Next, define the objective function. 


J2 


= lAXp + Bup + Wp« + ICxp - yd« , 


(2-4) 


the feasible set. 


F = (xp,Up: Eq. 2-3 holds} 


(2-5) 


and the optimizing set. 


D = {x p ,u p : (x p ,up) = arg min J 2 } 


(2-6) 


The automatic trim problem is then compactly expressed by. 
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min Ji = BXp - x p °|| + Hu p - u p °ll 

( 2 - 7 ) 

subject to (x p , u p ) e F and D 

where Xp° and u p ° are some desired a priori perturbations from x 0 ,u 0 (usually 
zero) * 

When Euclidean norms are used in Eqs. 2-4 and 2-7, the trim problem is 
reduced to a form which can be solved using quadratic programming techniques 
(see {1] for details of the solution method)* 

The solution to the trim problem (x p *, u p *) is applied to the control 
elements as a feedforward term* In particular, if the LQ feedback gain matrix 
is G y then it can be shown ([1],[6]) that the application of Sfeedforward 
= Gx p * + u p * at t * 0 will change Eq. 2-1 to 

x p - (A - BG)(x p - x p *) + £ . (2-8) 

Since (A -BG) is stable, x p + 0, and Xp + x p *. Furthermore, for nonconstant 
disturbances, w p , the solution to Eq* 2-7 can be obtained at each time that u p 
is available. The feedforward control then serves to reduce the effect of w p , 
dynamically (see [6] for theoretical justifications). 

Of course, errors in the linear model of Eq* 2-1 will always exist and, 
therefore, the solution to Eq. 2-7 can only get us close to the desired con- 
ditions. The feedback control system, when properly designed, will ensure 
that when a feasible solution exists (J 2 = 0) the actual states will be driven 
close to the values selected by the trim problem* However, the performance of 
the feedback system (in terms of driving the aircraft to a new selected trim, 
as well as other disturbance rejection and command-following properties) is 
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degraded due to control element failures. Although this degradation may not 
be severe when sufficiently robust control laws are used, it is, nevertheless, 
of interest to explore methods of feedback compensator redesign. 

2.3.2 Compensator Redesign 

The goal of the feedback compensator redesign algorithm given in [1], 
is to recover, after failure, as much as possible of the desirable properties 
of some nominal control system (for the unfailed aircraft) subject to the 
constraint that the new compensator not violate any control-loop bandwidth 
constraints. The bandwidth constraints are imposed so that the stability 
robustness properties of the basic LQ compensator (which is used in the 
redesign procedure) are maintained. The problem is formulated in a proba- 
bilistic sense that includes the effects of model uncertainty. In order to 
acknowledge the increased potential of having inaccurate models after a 
failure occurs. 

Mathematically, the compensator redesign problem is formulated a$ fol- 
lows. The magnitude of the return difference matrix of the failed aircraft 
is a measure of feedback performance. The return difference is defined by 

D(s) = I + G(sI-A)“lB (2-9) 

where s is the Laplace transform variable and G is the gain matrix which 
defines the feedback compensator which we wish to determine (note, all com- 
pensator dynamics such as integrator states are included in A and B). Next, 
we assume that some nominal compensator satisfies bandwidth constraints of 
the form 

HP(jm c I-A 0 r 1 B 0 N 0 l < 1 (2-10) 


21 


where (A 0 ,B 0 ) are the system and control matrices for the unfailed aircraft, 

N 0 is the square root of the inverse of some nominal control weighting matrix 
and P is a bandwidth scaling matrix. Next, we assume that B can be expanded 
as B = Bf + AB, where Bf is the expected value of B and where AB is a random 
matrix with zero expected value and known second moments; 

$ijk£ 55 E { t AB] i j [ AB] lc j£, } • (2-11) 

The optimization problem we wish to solve is to maximize the expected "size” 
of D(s) and minimize the expected size of the uncertainty about D(s) while 
ensuring that the resultant control law satisfies bandwidth constraints of 
the form 

lP(jio c I-A) -1 B f Nil < 1 (2-12) 

where N is the square root of the inverse of the LQ control-weighting matrix 
which produces the new control law. The solution, G, is derived by solving 
the following problem. 

oo 

max Tr / EfD^s) D(s)} - E{[D(s) - E{D(s))]T [D(s) - E{D(s)}]} ds 
0 

subject to Eq. 2-12 

(2-13) 

where D(s) = N^D(s)N. In [1] we describe how the use of the Kalman Equality, 
2-7, to express D(s) in terms of the control and state weights can be used to 
approximately solve Eq. 2-13. The solution is only valid for reduced effec- 
tiveness failures. When no uncertainty is present, the solution is trivial: 
simply solve the LQ design problem with the original weighting matrices and 
the new value of B. 
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SECTION 3 


INTEGRATION ISSUES 

In this section we discuss issues associated with the creation of a 
complete RFCS from the algorithms reviewed in Section 2 (robust flight con- 
trol, FDI, compensator redesign and automatic trim). These issues can be 
roughly characterized as either performance or interface issues. For the 
performance issues, we discuss various engineering tradeoffs that occur when 
good unfailed-per forma nee and high degrees of fault-tolerance are desired. 

This discussion looks at general functional requirements of restructurable 
flight control (with less regard to the algorithms already developed). 

The overall performance goal of any RFCS is the development of a control 
system that allows the pilot, whenever it is physically possible, to ade- 
quately control the aircraft despite large changes to the dynamic input/output 
relationships of the aircraft and despite the presence of sometimes large 
force and moment disturbances. This goal requires adequate controllability 
(in the qualitative sense) for many possible failure modes including multiple 
simultaneous and sequential control element failures as well as failures that 
effect the basic aerodynamics of the aircraft. 

In order to achieve this qualitative controllability goal, the RFCS must 
always be stable (this implies nominal stability and stability robustness for 
all failure modes), should have very good disturbance rejection properties, 
and should attempt to maximize command following performance. Furthermore, 
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these goals must be achieved without violating the physical constraints on the 
aircraft. As discussed in [1] and in Section 1, these goals can be achieved 
through a combination of passive and active fault-tolerant control functions. 
These functions are now discussed in detail in terms of how they can be used 
to satisfy the overall RFCS performance requirements and in terms of the 
design issues which need to be addressed for each function. Four general 
functions are discussed. They are: 

1. Passive Robust Feedback Compensation, 

2. Failure Detection, 

3. Active Control System Reconfiguration, 

4 . Identification. 

3.1 PASSIVE ROBUST FEEDBACK COMPENSATION 

Much has been said about this function in past reports (see [1]). Feed- 
back compensation is frequently used to achieve command-following performance 
goals for unfailed aircraft because it achieves the desired performance de- 
spite "small" modeling errors and disturbances. For RFCS's, we want to expand 
this capability as much as possible without sacrificing the stability robust- 
ness of the control law for the unfailed aircraft. To achieve an expanded 
tolerance to errors and disturbances, we would like to raise the loop gains 
and distribute control authority amongst independent control elements as much 
as possible. Limitations exist because of control element bandwidths and 
noise considerations. 

The above discussion Indicates that the process of creating a feedback 
compensator which is, as much as possible, tolerant or robust to failures. 
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is really no different in its goals than the process of creating a high- 
performance multivariable compensator for the unfailed aircraft. Perhaps the 
only difference is that one may wish to increase the stability robustness 
specifications to include larger errors due to the possibility of failures. 

It is this increased stability robustness specification which can give rise 
to a "tradeoff between nominal performance and failure robustness." However, 
closed-loop stability is only one requirement for good failure recovery per- 
formance. The large loop gains associated with a high performance compensator 
are also important for passive failure recovery. Therefore, it is more impor- 
tant to achieve nominal performance first, and to use any remaining degrees 
of freedom in the design to increase stability robustness in the presence of 
failures. 

The design considerations discussed above, when properly addressed, can 
achieve a large degree of fault tolerance (see, e.g., [1]). Nevertheless, 
there may be failures which can only be handled by changing or reconfiguring 
the control system. This process requires various "active fault tolerance" 
technologies which are discussed below. 

3.2 FAILURE DETECTION 

Clearly, if active reconfiguration is necessary, we must first detect the 
fact that the aircraft is not operating normally. To define "normal" we need 
models of the aircraft, and since model errors will always exist, the detec- 
tion system must use the best information while maintaining its sensitivity to 
important failure modes. The important failure modes should be determined by 
the capabilities of the passive compensator discussed above and considered 
explicitly in the design of the failure detection mechanism. (Note that it 
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may be possible to use one detection mechanism for many modes and still main- 
tain adequate sensitivity. This is especially true for different types of 
control element failures like stuck, floating, partially missing, runaway, 
etc.). Typically, it is believed that the "size" of the important failure 
modes can be much greater than the size of the modeling error that defines 
normal operation. Thus, it should be easy to minimize false alarms in the 
process of detecting important failures. 

In addition to detecting important failures explicitly, it may also be 
desirable to detect other unanticipated failures. Generic detection tests 
which use all information (an aircraft model) to its fullest are appropriate 
for this function; however, care must be taken to avoid false alarms. 

Note that we have not considered any form of failure identification in 
this process. This is because the requirements of the identification function 
are dependent on the active reconfiguration strategy which is discussed next. 

3.3 ACTIVE CONTROL SYSTEM RECONFIGURATION 

The purpose of this function is to "reoptimize" the performance of the 
control system for the new failure conditions. This reoptimized performance 
includes the need to reject disturbances due to the failure, recover command 
following as much as possible, and ensure closed-loop stability (stability 
robustness). 

In order to perform this reoptimization, any reconfiguration strategy 
requires some knowledge about the failed aircraft. More (and more accurate) 
information will allow any reconfiguration strategy to better reoptimize air- 
craft performance in the presence of failures. For example, if we knew only 
that some individual control element was inoperative, and that the failure was 
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inducing no disturbances on the aircraft, then the technique of simultaneous 
stabilization, [8], might be an appropriate reconfiguration strategy. This 
strategy would ensure closed-loop stability but does nothing to optimize com- 
mand following or disturbance rejection performance. As another example, if 
a single control was stuck at a known position, the effectiveness of that con- 
trol was known, and all controls had equivalent bandwidths, then a mixer-like 
strategy, [9], might be appropriate since it can recover the map from the 
unfailed control element commands to the forces and moments. 

The LQ compensator redesign procedure and feedforward trim of [1] requires 
some knowledge of both control effectiveness and disturbances. More specific- 
ally, these procedures are implemented using estimates of the failed aircrafts 
linearized dynamics including estimates of uncertainty. Since this informa- 
tion covers nearly all failure modes, the performance of this strategy is only 
dependent on the quality of the estimates of the required information. The 
problem of providing accurate information is addressed in the following iden- 
tification function. 

3 .4 IDENTIFICATION 

In general, the question of what must be identified for adequate recon- 
figuration performance is still an open one. As discussed above, the most 
general information might consist of the selection of an operating point and 
the determination of the failed aircraft's linearized dynamics (including 
measurable/estimable portion of disturbances). The most important pieces of 
information for any strategy, however, are the failed aircrafts 1 control 
effectivenesses and an estimate of the disturbances. This is because fail- 
ures of control elements can cause large disturbances, and redistribution 
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of control authority is only possible when the remaining authority is known. 
The failed aircraft's stability characteristics (if different from the 
unfailed aircraft) may be important in some cases, although this has not 
been investigated. 

In order to maximize the quality of the identification procedure, it 
is typically necessary to "focus" the identification algorithm on the most 
important parameters for the particular failure mode* Focusing is important 
because it allows only the best information (i*e*, that with the largest 
signal-to-noise ratio) to be selected* For example, if it is known that a 
particular control element is stuck at a particular position and that no other 
failures have occurred, then the estimation of the disturbance caused by this 
failure is trivial (see Section 5)* Similarly, if an aircraft path failure 
(e.g., partially missing, etc.) can be isolated to a single control element, 
then the joint estimation of all control effectivenesses would not be neces- 
sary and the identification procedure could focus on only the failed control. 

Because focusing can be extremely important for identification proce- 
dures, we see that a first step in identification is typically the isolation 
of failure modes. The isolation process answers the question Which failure 
mode occurred? The remaining step is one of estimation which then provides 
the detailed information needed for a reconfiguration strategy. An open ques- 
tion is the determination of what level of isolation is needed to obtain the 
focusing necessary to provide quality estimates* 

Finally, although focusing of estimation algorithms on important param- 
eters is important, it will only allow the best extraction of the information 
that is available. If this information is of low quality, then estimates will 
be poor. In order to ensure quality estimates, therefore, it is necessary to 
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ensure good signal-to-noise ratios in the signals being used for estimation. 
The only way this can be done is through the application of known control 
"probes” or (dither-like signals)* These probes only need to be active during 
a brief identification period following a failure and would not interfere 
with normal flight. Furthermore, these probes can be designed to have minimal 
impact on the aircraft while enhancing the distinguishability of failures and 
improve estimation performance. 

3.5 SUMMARY 

The four basic functions needed to achieve high degrees of fault-tolerant 
control are 

1. Feedback compensation during normal flight, 

2. Failure detection, 

3. Control system redesign procedures, and 

4 . Identification. 

Each of these functions should be designed with the following concerns. 


FEEDBACK COMPENSATION 

1. If the nominal compensator has high loop-gains at low frequen- 
cies, then it will be able to passively accommodate many force 
and moment imbalances due to failures. 

2. High loop-gains, however, may reduce stability robustness in the 
face of failures. However, this may not be important if detec- 
tion, identification, and compensator redesign results in a 
robustly stable aircraft. 

3. If the compensator can passively accommodate "large” failures, 
then failure detection thresholds can be set to values that sig- 
nificantly reduce false alarms. Thus, it is important to char- 
acterize the passive fault-t ole ranee of the nominal compensator. 

4. If the failure detection system cannot detect some failures with- 
out sacrificing false-alarm performance, then the nominal compen- 
sator should be designed to passively accommodate those failures. 
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CONTROL SYSTEM REDESIGN 


1. The redesigned feedback compensator must ensure stability and 
optimize disturbance rejection and command following performance 
without violating the control bandwidths that guarantee stability 
robustness. 

2. To maximize performance, details of the failure condition are 
needed. Since many details are only available from identifica- 
tion procedures, on-line redesign is important, 

3. Feedforward compensation (such as automatic trim) can be very 
useful in rejecting measurable disturbances. However, overly 
restrictive requirements (e.g., recover all forces and moments 
as in the mixer approach) can lead to control saturation. 

4. When no failure exists, the redesigned control law should 
recover the nominal controller in order to minimize transients 
due to false alarms in which identification returns values close 
to the unfailed aircraft. 

5. Assessment of the capabilities of redesigned control laws defines 
the overall limitations of the RFCS. These limitations can only 
be overcome by more "inherent redundancy." 

6. Since identification procedures contain inaccuracies, the redesign 
procedures should incorporate measures of uncertainty about the 
parameters that drive the redesign. 

7 . The selection of a desired post-f ailure operating point can have 
a large impact on the RFCS*s ability to recover from large 
failures. 


IDENTIFICATION 

1. Better estimates of critical parameters can be obtained if iden- 
tification algorithms are focused. One method of focusing is to 
"isolate" the cause of an important failure, and then identify 
only the relevant parameters. 

2. Estimates of identification accuracy are needed since the redesign 
procedure can maximize robustness if this estimate is available. 

3. Estimation of post-failure control authority Is the most important 
aspect of identification since it impacts how control power can be 
redistributed in the redesigned control law. 

4. Probe or dither signals can be useful in improving identifica- 
tion accuracy. This can be done without affecting the overall 
stability of the unfailed aircraft since these signals only need 
to be applied after a failure is detected. 
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The issues discussed above are considered to be those that are most 
important in the development of an integrated RFCS in which the capabilities 
and limitations of each part of the RFCS are complemented by others. Further 
work in integrated RFCS design should include design and analysis methods that 
ensure such complimentary functionality. This is the only way to ensure and 
justify the high degree of fault tolerance that is claimed for rest rue turable 
flight control systems. 
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SECTION 4 


INTERFACE ISSUES 

The interface issues that are discussed in this section are unique to 
the details of the algorithms that are being integrated. Methods for dealing 
with "mismatching" interfaces are derived and a description of the top-level 
control-logic for the demonstration system is developed. Much of the top-level 
operation is derived as a consequence of specific assumptions about detectable 
and isolatable failures and the expected results of reconfiguration. 

In contrast to integration issues, the interface problem is particular 
to the algorithms that are being used for this project. The three basic func- 
tional blocks (FDI, ARM, and FCS; see Fig. 2-1) each have data input require- 
ments and output capabilities that were derived somewhat independently. The 
result was a mismatch between the data that the FDI algorithm naturally pro- 
vides and the information requirements of the ARM. 

In particular, the FDI algorithm only provides "discrete" information 
about failures such as what failures have caused triggers, what failures 
could be verified and which failures are more likely than others (see [5]). 
When appropriate, flags are set to indicate that a particular control element 
failure has been detected and isolated or that a false trigger has occurred. 
Unfortunately, the automatic redesign module (trim and compensator redesign) 
needs a different set of information. The ARM module is based on the assump- 
tion that, after a failure occurs, the FDI system will provide an estimate of 
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the linear dynamics of the aircraft (at some desired flight condition), an 
estimate of any significant observable disturbances, and some characterization 
of the uncertainty of these estimates. 
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Since the FDI algorithm is only concerned with control element failures, 
any stability effects due to failures must be ignored* Therefore* the state 
transition matrix (A) for the failed aircraft will be identical to its value 
for the unfailed aircraft and will be stored as data for the ARM* Note that 
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the value of A that is used in the ARM represents the linear dynamics of the 
unfailed aircraft about any desired operating point and need not correspond 
to the operating point of the aircraft just prior to reconfiguration. 

Similarly, the elements of matrix Bf corresponding to unfailed control 
elements will be derived from the unfailed linear dynamics at the desired 
operating point. 

The uncertainty characterization described in Section 2 (see [1] for more 
details) is a fourth order tensor involving the cross-covariances of elements 
in the uncertainty matrix AB. For simplicity, we will assume that is 

zero when j * l (i.e. , the effectiveness estimation errors for different con- 
trols are uncorrelated) and use the multiplicative model 

[B]ij = Ej ^°^ij 

where Ej is a random variable representing the effectiveness of the j-th 
control. Thus, since Bf is the expected value of B, (see Section 2), 

fBflij = [BoJij (4-2) 

and 

$i jkj = l k j a j 

where aj is the standard deviation of Ej and would typically take on values 
between zero (no uncertainty) and one (100 percent uncertainty), although 
values exceeding one are not excluded. 

4 . 1 ACTUATOR-PATH FAILURES 

The FDI system has the capability of detecting and isolating multiple 
simultaneous and sequential actuator-path failures. When actuator failures 


35 



are detected and verified, reasonable values for B, Wp, and aj can be deter- 
mined by referring to the failure models described in Section 2. These models 
indicate that most failures result in zero authority and that the disturbances 
are governed by the actual position of the control element* Therefore, a wide 
range of actuator failures can be adequately handled by zeroing the column of 
the expected control effectiveness matrix (Bf) corresponding to failed actu- 
ators, and estimating the observable disturbances by 

Wp - l bf (Si. - s" 1 ”) (4-4) 

ie {Failed Actuators} 

Although originally conceived for stuck surfaces in which Wp is constant, Eq. 
4-1 can be executed at every time instance in order to allow the trim algo- 
rithm to properly handle floating and runaway failures. Also, note that by 
zeroing the columns of B corresponding to verified actuator failues, the ARM 
will eliminate their use in any reconfigured control law. Thus, the values 
assigned to the uncertainty parameters, aj, is immaterial and can be left at 
its default (no-fail) value (typically zero). 

The FDI system also has the capability to indicate when an actuator 
failure is suspected, but not clearly verified. Since the ARM is capable of 
dealing with uncertainty, it is superficially attractive to consider the pos- 
sibility of utilizing the compensator redesign algorithm as an interim means 
of providing fault tolerance between the time that a failure has triggered 
and it is verified. There are two drawbacks to this idea, however. First, 
the FDI system is capable of identifying false triggers by failing to verify 
a failure after it has been triggered. In this case, the transition to an 
interim set of control gains and back to the originals when a false trigger 
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is identified could create undesirable transient control deflections. The 
second drawback to this idea lies in the fact that the use of a redesigned 
compensator will tend to de-emphasize the use of the suspected control ele- 
ment. This decreased use can frequently result in smaller failure signatures 
(refer to the failure models) and possibly cause false trigger indications. 

The overall result could then be a limit cycle of gain transitions caused by 
repeated triggers and false-trigger identifications. Since the actuator-path 
system is capable of detecting failures in a very short period of time (under 
one second) the lack of an interim robust control law during periods of sus- 
pected actuator failures will not severly impact overall aircraft performance. 
The problems cited above are then avoided by utilizing only the original con- 
trol law until an actuator failure is triggered and verified. 

4.2 AIRCRAFT-PATH FAILURES 

The first thing to recognize in transforming aircraft-path FDI informa- 
tion into values of Bf, Wp, and aj, is that, (unlike the actuator case) there 
is no directly measurable disturbance (w p ) estimate. Since most of the likely 
failure modes presented in Section 2 have no resulting disturbance associated 
with them, we will assume that aircraft-path failures as a whole have this 
property. As a result, the trim algorithm will not be executed for aircraft- 
path failures. Those failure modes that do have significant disturbances 
(e.g., runaway or stuck off-center) may, therefore, be problematic for this 
system. 

In developing values for Bf and a, it is useful to recognize the four 
basic events that the aircraft-path FDI system can create. They are, 

1. A single control element failure is isolated. 
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2. A trigger occurred, but all verify tests fail, indicating 
a false trigger, 

3* A trigger occurred, some verify tests passed, but' the isolation 
test results preclude isolation of a single control (unable- 
to-decide), and 

4, A trigger occurred, but states 1 , 2 , or 3 have yet to be declared* 

Event number 4 is similar to the ’’triggered but not yet verified” actua- 
tor case discussed above. The arguments for utilizing the original compen- 
sator in this state are equally valid here. Thus state 4 is handled by doing 
nothing. 

Event number 3 (unable-to-decide) could occur either due to larger than 
anticipated model error effects, or due to a situation in which the size of 
a failure signature precludes the reliable isolation of two or more control 
elements. The first situation would indicate treatment of event 3 as a false 
trigger as appropriate. In the latter situation, however, substantial amounts 
of time might elapse before a correct identification of the failed control can 
be made (correct identification will never be made if failures are indistin- 
guishable). Treating event 3 as a false trigger in this case could therefore 
be detrimental to failure recovery. Thus, compensator redesign should take 
place when event 3 is declared. 

Event number 2 frequently occurs when no failure is present and therefore 
suggests that a return to a control law that assumes that there is no aircraft- 
path failure is appropriate (a ’’return" is necessary only if event 3 occurred 
previously; the occurrence of event 2 suggests that the previous state-3 
occurrence was to to model error). 

Finally, in Event 1, when a single control can be isolated as failed, an 
estimate of Bf and aj that somehow reflects the uncertainty about the post- 
failure control authority of the failed surface would be useful. 
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CONFUSION SET CREATION (EVENT 3) 

The idea behind forming a confusion set comes from two aspects of the FDI 
system* First, in the design of the aircraft-path FDI system, it is possible 
to identify control elements that can not be isolated from each other. In 
this case, it is typical to treat all indistinguishable controls as a single 
fictitious control that will be detected and isolated upon the occurrence of 
any control failures within the indistinguishability or "confusion" set* The 
737 application presented in Section 5, in fact, has such a situation* Force 
and moment imbalances by themselves are not sufficient for distinguishing 
same-side elevator and stabilizer controls and are therefore treated as single 
"horizontal-tail" controls (left and right) in the FDI algorithm [5] * In the 
demo RFCS system developed for this project, modifications to the FDI decision 
logic were made so that the isolation of a horizontal tail failure would 
result in event 3 with the only undecidable "test" being a fictitious elevator 
versus stabilizer test* 

The second motivation for a confusion set is due to the occurrence of 
event 3 when marginally isolatable failures are present. Recall that in 
event 3 some or all of the verify tests may have passed but no unanimous ver- 
dict (declaring a single control to be failed) can be reached. When this 
occurs, we would like to examine the verify and isolate test results to deter- 
mine what subset of failures could be indicated* 

We approach the development of this set by determining the failures which 
are ruled out of consideration. First recall that each sequential (verify and 
isolate test) can be in one of three situations when event 3 occurs. Each 
sequential test statistic could have crossed its positive threshold, its nega- 
tive threshold or be in between [5j. When a verify statistic crosses its 
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negative threshold, there is a clear indication that the corresponding failure 
should not be considered as part of the confusion set. Conversely, when it 
has crossed its positive threshold, there is, as yet, no reason to rule that 
control out of the confusion set. When the verify test statistic is in 
between, the situation is not as clear. However, the original data struc- 
tures of the FDI algorithm did not permit dis tinguishing this case from the 
case where it crossed the negative threshold, thus we eliminate both "failed 
verify" and "unverified" controls from the confusion set. 

The isolation test results are also used in the formation of a confusion 
set when event 3 occurs. To rule out a control from this set on the basis of 
isolation results, we require that some isolation test clearly indicates that 
the control to be ruled out is less likely than another control. That is, for 
every isolation test that crosses its positive or negative threshold before 
event 3 occurs, the control which is contra-indicated is ruled out of the 
confusion set. 

Thus, the confusion set consists of those controls that have been veri- 
fied, have been found to be more likely than another control, or have been 
involved in isolation tests which are unable to decide, but have not been 
found to be less likely than another control. This procedure produces the 
desired result in prototypical cases (e.g., two controls are more likely 
than all others, but the test distinguishing these two is unable to decide). 
However, other interesting possibilities for confusion sets arise. One pos- 
siblity is that an empty confusion set could be created. Using the notation, 
a > b to imply that the isolation test between a and b decides in favor of 
a, we would get an empty confusion set with, say a, b, c verified and a > b, 
b > c, and c > a. While this should not physically occur (especially when 
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a, b, or c is actually failed) there is no numerical guarantee that it will 
not occur. In the demo RFCS such a situation will be treated the same as 
event 2. Another property of this procedure is that a confusion set of size 1 
occurs when a unanimous verdict is present. This is a pleasing result since 
it was our original requirement that isolation to a single control would be 
declared when a unanimous verdict was reached. However, it is also possible 
for a confusion set of size 1 to occur without a unanimous verdict. For 
example, a three control (a, b, and c) situation in which only a is verified 
and a > b, but a vs c is unable to decide, will result in a confusion set con- 
sisting of only a. This is an interesting result that sometimes makes sense, 
but has not been deeply explored in terms of consistency with actual physical 
failure scenarios. Note, however, that the decision logic implied by the 
confusion set would impact the FDI performance results reported in [5] . 


CREATING B f AND otj FOR EVENT 3 

Having developed a confusion set consisting of all possible sources of 
failure when no unanimous decision can be reached (for a single control or 
for a false-trigger) , we now present two methods for translating this type of 
uncertainty into values of Bf and otj needed for the ARM. 

Using the model of Eq. 4-1, we see that we need to transform the confu- 
sion set into a probability distribution for all the Ej. 


Method 1 
Let, 


f(Ej|j*C) = 6(Ej-l) 


(4-5) 


f (Ej | jeC) = Pj 6(E j) + (1-p.j) <5(Ej-l) 


(4-6) 
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It is then possible to show that 


E{Ej|j*C} = 1 

(4-7) 

E(E j I jeC) = 1 - Pj 

(4-8) 

/ 0 j t c 

I Pj (l~Pj) J e C 

(4-9) 


In the above, pj represents the probability the "event" (Ej = 0 and E^ = 1, 
(i*j)). Thus, some measure of the magnitude of the relative likelihoods of 
each failure is desirable. While such measures are computable within the FDI 
system, it is felt that the extra effort in such computations is not worth- 
while and we will use pj = BCB -1 for all j in C (BCB denotes cardinality or 
number of members in the set, C) . 


Example 

PI = probability that E^ = 0, Ej = 1, j*i with i,j in {1,2,3}. 

E(El) = PI • 0 + P2 • 1 + P3 • 1 

= 1 - Pi , since (pi + P2 + P3) = 1 


E{E^} = pi • 0^ + P2 • l 2 + P3 • l 2 “ 1 — Pi 

Var(Ei) = a 2 = (1-pi) - (1-pi) 2 = Pi(l-pi) (4-10) 

and similarly for i = 2 and 3. 
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Method 2 


Let f ( E j | j 4 C) be as in Eq. 4-5 and 

f(Ej|jeC) = Pj P W (E j) + (1-pj) 6(Ej-l) 
where P w (Ej) is a uniform density on the interval [0,1]. 
The statistics of Ej are then given by Eq. 4-7 and 

E{Ej | jeC> = 1 - pj/2 

! o j i c 

Pj/12 (4 - 3 Pj ) j e C 


(4-11) 


(4-12) 


(4-13) 


Again, pj represents the likelihood that the j-th control has failed. However, 
in this method, we assume that Ej is uniformly distributed on [0,1] under 
the hypothesis that j has failed and that it is equal to 1 under all other 
hypotheses. 


SUMMARY OF AIRCRAFT-PATH INTERFACE 

The demo system to be described in Section 5 employs the following logic 
upon the identification of the four FDI events described above (a detailed 
description of the software implementation is given in [10]). 

Event 1 Use Eqs. 4-2, 4-3, and 4-7, 4-12, 4-13 with pj * 1, where 
j is the index associated with the isolated control. 

Event 2 Return (if event 3 previously declared; otherwise, no 

return necessary) to the nominal (unfailed) compensator 
when there are no actuator failures. When actuator 
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failures are present, return to a, Bf values set by 
actuator failure detection. 

Event 3 Use Eqs. 4-2, 4-3, and 4-7, 4-8, 4-9 with pj = . 

Event 4 Make no change to the compensator. 


4.3 OVERALL RFCS OPERATION 

This subsection puts together the concepts discussed thusfar and fully 
describes the functional operation of the overall RFCS developed for this 
project. Details of the software implementation are provided in [10]. 

Figure 4-1 presents a state transition diagram (or finite-state machine 
description) for the overall RFCS algorithm. In this figure, there are eight 
types of events that cause transitions and two distinct types of states. The 
two types of states represent: 

1. FCS operational states labeled F 0 , F f , F 1 1 , and F ,tf ; State F 0 
always corresponds to the baseline or nominal flight control 
law (gains and trim values); States F 1 , F* 1 , and F f 1 * correspond 
to gains and trim values that have been redesigned. 

2. Reconfiguration-method states labeled At , A 2 , A 3 , A 4 ; in each 
of these states, the ARM parameters (Bf,a,Wp) are updated (dif- 
ferently for each state) and the compensator redesign and/or 
auto-trim algorithms are executed. 

The system always starts in F 0 . The state transitions are due to seven FDI 
events (4 for the aircraft-path and 3 for the actuator-path subsystem) and 
an eighth event that accounts for the possibility of the formation of an 
empty confusion or ambiguity set when event 3 occurs (note events 1 through 
4 correspond to the events discussed in subsection 4.2). The FDI transition 
events are: 

1. AQI = Aircraft-path failure was successfully isolated. 
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ACT 



FDI TRANSITIONS: 

ACT 

ACV 

AC FT 

AQT 

AQI 

AQFT 

AQD 

C-0 


ACTUATOR TRIGGER 
ACTUATOR VERIFY 
ACTUATOR FALSE TRIGGER (RESET) 
AIRCRAFT TRIGGER 
AIRCRAFT VERIFY & ISOLATE 
AIRCRAFT FALSE TRIGGER (RESET) 
AIRCRAFT UNABLE TO DECIDE (RESET) 
EMPTY AMBIGUITY/CONFUSION SET 


FCS NODES: 

(r p_ p t p"_ PARAMETER SETS USED IN FCS OPERATION 
ARM NODES: 

A j , i— PROCEDURE FOR UPDATING B f, P , & REDESIGN/RETRIM 

R-4943-A 


Figure 4-1. RFCS State Transition Diagram 
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2 . 


AQFT « Aircraft-path false trigger occurred (all verifies fail), 

3* AQD - Aircraft-path verify and isolation tests are unable to 
decide either 1 or 2 , 

4* AQT = Aircraft-path trigger, but 1-4 yet to occur, 

5* ACV = Actuator-path failure successfully verified, 

6 . ACFT = Actuator-path false trigger occurred, 

7* ACT = Actuator-path trigger, 5 or 6 yet to occur. 

The empty confusion set event (C=<}>) occurs during calculations involved in two 
of the reconfiguration-method states (A 3 and A 4 ). 

Transitions are always made within a single computational cycle until all 
FDI events that occurred in that cycle are taken into account. Transitions 
from one FCS state to another implies that the gains and trim values last 
created in the "target” state are to be used. Transitions without labels 
indicate that this transition occurs if no other FDI transition events are 
observed. When no unlabeled transitions are given, the state remains unchanged 
for the next cycle. 

The RFCS described by Fig. 4-1 is capable of handling any combination 
of single aircraft-path and multiple actuator-path failures occurring sequen- 
tially or simultaneously. A small degree of "self-healing” is present in the 
return to previous FCS parameter sets when ACD is followed by in the same 
cycle or by AQFT in a subsequent cycle. 

The reconfiguration-method states provide different means for updating 
the ARM parameters and subsequently calling the compensator redesign and 
auto-trim algorithm. Each of these states is now defined (note, the RFCS 
software implementation of [10] does not incorporate the exact logic of Fig. 
4-1, though it is functionally equivalent). 
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Reconfiguration Method A] 


Method Af is used each time ACV occurs* The matrix Bf is computed using 
Eq. 4-2 with E{Ej) updated to zero if actuator "j" was verified* Ej retains 
its previous value otherwise* The values of aj are not updated, w p is updated 
using Eq. 4-4. Finally, both the trim and compensator redesign algorithms are 
executed if Bf, w p , or any aj is significantly different than their "previous” 
values (note, "previous" here is used to indicate the values computed at the 
last time the algorithms were executed)* 

Reconfiguration Method A 2 

This is used any time AQI occurs* The matrix Bf is computed using Eq. 

4-2 with E{E j) updated using Eq. 4-12 with pj = 1 for j = the identified con- 
trol only if it does not also have a verified actuator-path failure. It is 
left at zero (set previously by Af) otherwise. Equation 4-3 is used to update 
aj with pj = 1 for j * the identified control. Otherwise it is left at zero. 
w p is unchanged. The compensator redesign algorithm is executed if Bf or aj 
are significantly different than their "previous" values. The trim algorithm 
is not executed. 

Reconfiguration Methods A 3 and A 4 

The computations for these two states are the same. They are distinct 
states because their transitions under AQFT are different. This method is 
used when AQD occurs. The matrix Bf is computed using Eq. 4-2 with E{Ej} 
updated using Eq. 4-8 with pj = HCI " 1 for j e C only if control j does not 
also have a verified actuator-path failure. It is left at zero (set previ- 
ously by Af) otherwise. Equation 4-9 is used to update aj with pj = for 

j e C only if control j does not also have a verified actuator-path failure. 
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Otherwise it is left at zero. Wp is unchanged. The compensator redesign 
algorithm is executed if Bf or any aj are significantly different than their 
previous values. The trim algorithm is not executed. 


Example 

An example of the RFCS state transitions under multiple failures is now 
given. Physical justifications for some of the transition events are also 
given. 

1. A severe maneuver is executed causing an AQD transition to A 3 
(due to large model error excitation). A C* 4 > transition to 
F f * then occurs. 

2. A small maneuver is executed causing an AQFT transition back 
to F 0 (small model errors are excited). 

3. An aircraft-path failure on a marginally loaded surface occurs 
causing an AQD transition to A 3 followed by a (C*<j>) transition 
to F* f . In the same cycle, an ACV event occurs causing a tran- 
sition from F f 1 to A[ and then to F f • 

4. A maneuver occurs that excites the control having an aircraft- 
path failure causing an AQI transition from F f to A 2 and then 
back to F f with a new set of FCS parameters. 

3. Some time later, another actuator-path failure occurs causing 
an ACV transition from F 1 to Ax and then back to F f . 
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SECTION 5 


APPLICATION TO A MODIFIED B-737 AIRCRAFT 

In this section, the details of the integrated RFCS demonstration system 
are provided and results of extensive simulations resulting from embedding 
ALPHATECH’s RFCS software in NASA’s nonlinear 6-D0F simulation of a modified 
B-737 are described* Due to problems uncovered during software integration, 
several design deficiencies that were identified, remained unsolved. However, 
these deficiencies (mostly in the FCS) do not affect the more meaningful con- 
clusions drawn from the simulation results. Plots of aircraft responses for 
various simulations are given in Appendix A. 

5.1 DEMONSTRATION SYSTEM DETAILS 

5.1.1 Operating Point 

The choice of operating point for simulations was governed by the flight 
conditions for which the FDI system was designed [5] . The trim condition is 
defined by: 


Velocity = 160 knots 

Altitude * 3500 ft 

Gear Up 

Flaps - 15 degrees 

Flight path angle = 0 degrees 
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The state and control vectors are defined by 


forward velocity, ft/sec 
vertical velocity, ft/sec 
pitch rate, rad/sec 
pitch angle, rad 
side velocity, ft/sec 
roll rate, rad/sec 
yaw rate, rad/ sec 
roll angle, rad 


(5-1) 


$LT 


left engine thrust, lbs 

6rT 


right engine thrust, lbs 

$LS 


left stabilator, deg 

Srs 


right stabilator, deg 

6r 


rudder, deg 

$LE 

= 

left elevator, deg 

<5 RE 


right elevator, deg 

$LA 


left aileron, deg 

<$RA 


right aileron, deg 

<$SPL 


left spoiler, deg 

$SPR 


right spoiler, deg 

__ 





The trim values of x and u at this flight condition are 

x Q = (283, 24, 0, .085, 0000) (5-3) 
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u o 


= (3644, 3644, -3.1, -3.1, 


0 , 


The linear model for perturbations to this trim condition when no failure 
exists is 




X P 


x p + B 0 

U P 



(5-5) 

- x 0 ). 

Up -• 

(u - u Q 

), and 

A 0 and 

B 0 are 

given 

by 
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(5-6) 
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(5-7) 

The open loop eigenvalues for the aircraft at this flight condition are 


Lateral Eigenvalues 
Dutch Roll -0.125 ± 1.23j 

Roll Subsidence -.0051 
Spiral -2.02 


Longitudinal Eigenvalues 
Short Period -.690 ± 1.36j 

Phugoid -.00486 ± 1.33j 


(5-8) 
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5.1*2 Flight Control System 


The baseline FCSs used for this demo are full state feedback LQ designs 
with integrator compensation for pitch and bank angles and for forward and 
side velocity (see [1] for details). Figure 5-1 shows the FCS implementation 
including the insertion of the trim values. Only primary control surfaces 
and the throttle were used for dynamic control (no spoilers). With compensa- 
tion the linear model becomes 


where 


Azn i Bur 


z p 

XI 

A 

B 



C x p 

~ Ao 0“ 

_ C 0 _ 

Bo 

_ 0 _ 

~ 0 0 0 1 0 

0 0 0 0 1 

0 0 0 0 0 

_ 1 0 0 0 0 

Gy = [G4 G5 Gg Gi ] 

G r = [G2 G3 Gg G7] 


0 

0 

0 

0 


0 

0 

0 

0 


0 

0 

1 

0 


(5-9) 


(5-10) 


(5-11) 


(5-12) 

(5-13) 
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Gi = [Gg G 10 Gn G12] 


(5-14) 


where G^ is the ith column of the compensator gain. 


The equations of the compensator are: 


xj = -r + Cx p - Cx 0 


(5-15) 


u = u Q - G r x r - GyCxp + GyCxp + Gyr - GjXj 


(5-16) 


where 


x r “ C r x a 


0 


1 0 0 0 0 0 


C r = 


0 


0 


0 

0 


1 

0 


0 

0 


0 0 
0 1 


0 

0 


0 0 0 


0 0 0 1 


0 

0 

0 

0 


(5-17) 


Two compensator gains (G) were used in the simulation results described in 
subsection 5.2. The first gain matrix is the one used in [1]. This gain made 
use of full independent individual control elements (referred to later as 
the full compensator). Unfortunately, it was designed for a different flight 
condition than the one being employed in this study. The gain matrix is 
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(5-18) 
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The resulting closed loop eigenvalues are 


Lateral 

-.60 ± .59 j 


- 1.1 


-2.1 ± 1 .7 j 


- 2.6 


Longitudinal 
-.071 ± .065j 
-.54 

-.84 ± .87 j 

-3.9 


(5-19) 


An alternative gain was formulated using the control and state weights used 
to produce the G of Eq. 5-19 with Aq and B 0 of Eqs. 5-6 and 5-7. This compen- 
sator did not have substantially different eigenvalues than those of Eq. 5-19. 
Time did not permit further investigation of alternative full compensators. 

The second gain matrix utilized only standard B-737 control action. This 
eliminates all use of differential stabilizer, elevator, and throttle and col- 
lective aileron. Time did not permit a detailed design of this compensator. 
Therefore, we took the control and state weights used in the design of the 
gains in Eq. 5-18, generated a full LQ compensator from these weights, and set 
various terms to zero. The terms set to zero were 1) the lateral state feed- 
back to the stabilizers, elevators, and throttles, 2) the longitudinal state 
feedback to the ailerons, all integrator state feedback except the integral 
of velocity to throttle terms. The resultant G is given by 
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The resulting closed loop eigenvalues are 


Lateral 

Longitudinal 

-1.8 ± 2.0j 

-2.4 ± 1.4j 

-1.7 ± 0.35 j 

-0.60 


-0.18 


-0.048 


(5-21) 


The FCS limits the control values at their maximum and minimum values 
and implements a nonminima 1 version of the FCS in order to prevent integrator 
windup when the controls reach these limits [10]. Unless specified otherwise 
in subsection 5.2, the control limits are 


Aumin - (-2400, -2400, -10.8, -10.8, -10, -15, -15, -20, -20, 0, 0) (5-22) 

A u max = (9800, 9800, 6.2, 6.2, 10, 15, 15, 20, 20, 8, 8) (5-23) 


5.1*3 Compensator Redesign Algorithm 

The inputs to the compensator redesign algorithm are the control and 
state weighting matrices for a basis controller, the linear dynamics of the 
failed aircraft at some desired flight condition and some measure of uncer- 
tainty about the linear model. We will assume that the flight condition 
defined by Eqs. 5-3 to 5-7 is the desired post failure condition. Since no 
failure mode causes aerodynamic changes, the failed A matrix Ap * A 0 . The 
failed B matrix, Bf and the uncertainty measure, Bijkfc* are derived in 
Section 3. For reference, the state and control weights used for redesign 
are (see [in 
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5.1.4 Linear Trim Algorithm 

The trim algorithm utilizes the same linear model as the compensator 
redesign algorithm, plus; 1) a linear model relating the important variables 
to the states, 2) upper and lower bounds on allowable state and control per- 
turbations, and 3) a weighting matrix to improve convergence of the quadratic 
programming algorithm. 

The important variables are, as in previous reports, the flight path 
angle and angular rates. The angular rates are states (making the corre- 
sponding parts of the linear model for item 1 trivial) and the relationship 
between state perturbations and perturbations to flight path angle at this 
flight condition is 
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Ay = 0.00030 Au - 0.00353 Aw + A0 


(5-26) 


The bounds on the state and control deviations were derived in the same manner 
as [1] and, unless specified otherwise in subsection 4.2, are given by, 

a) Aumin = (-2400, -2400, -10.8, -10.8, -10, -15, -15, -20, -20, 0, 0) 

b) Au^ = (9800, 9800, 6.2, 6.2, 10, 15, 15, 20, 20, 8, 8) 

(5-27) 

a) Ax^ = (-30, -2.4, -3, -.26, -30, -3, -3, -.09) 

(5-28) 

b) Axmax - (30, 20, 3, .088, 30, 3, 3, .09) 

Constraints on angular rates are meaningless since they are regulated as 
important variables. 

5.1.5 Failure Detection and Identification 

A complete description of the FDI software is given in [10]. Its design 
and performance characteristics are detailed in [5]. For this project, an 
interface module that translates FDI test results into appropriate flags for 
use in the RFCS logic was designed. The interface module also expands the 
isolation matrix to accommodate both horizontal tail surfaces (same side ele- 
vator and stabilizer surfaces are treated as a single control element in the 
FDI system since they are indistinguishable). For reference purposes, the 
FDI aircraft-path routine refers to the control elements in the following 
order; 

1. Left Throttle 

2. Right Throttle 

3. Left Horizontal Tail 
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4 . Right Horizontal Tail 

5 . Rudder 

6. Left Aileron 

7 . Right Aileron 

5.2 DISCUSSION OF TEST CASE RESULTS 

This subsection provides a discussion of the simulation results. Plots 
of the temporal responses of important variables for several important test 
cases are given in Appendix A. This discussion includes notes on the per- 
formance of the aircraft during maneuvers, the operational characteristics 
(states) of the RFCS, comparisons between performance with and without the 
RFCS, the effects due to FDI decision errors and delays, and the fault toler- 
ant capabilities of the two nominal control laws employed in the baseline FCS. 

The original test plan is given in Table 5-1- It was formed to examine 
the following issues: 

1. Comparison of earlier [1] (actuator failure) results which 
assumed perfect FDI with actual FDI results, 

2. Examination of performance for correctly detected and isolated 
aircraft path failures, 

3. Examination of degraded performance due to imperfect isolation 
of aTrcraf t-path failures, 

4. Effects on performance of aircraft-path false triggers. 

Most simulations were run with sensor noise and no turbulence. The 
effects of turbulence were examined in a few examples near the end of the 
project. In addition, baseline runs (no failure) of two climbing turn maneu- 
vers were made. In total, NASA performed 40 simulations and made substantial 
modifications to the original simulation and RFCS software in order to enable 
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TABLE 5-1. ORIGINAL TEST PLAN 


Test Set 1 (Effects of Real Actuator FDI) 

1.1.1 Maneuver: Climbing Turn at 10 Seconds 

Failure: Stuck Rudder at 5 seconds 

Environment: No FDI or Recon 

1.1.2 Maneuver: Climbing Turn at 10 Seconds 

Failure: Stuck Rudder at 5 seconds 

Environment: Perfect FDI 


1.1.3 Maneuver: Climbing Turn at 10 Seconds 

Failure: Stuck Rudder at 5 seconds 

Environment: Real RDI 


1.2.1 Maneu ve r : None 

Failure: Stabilator runaway of CR-178064 at 5 Seconds 

Environment: No FDI or Recon, Travel limits of CR-178064 

1.2.2 Maneuver: None 

Failure: Stabilator runaway of CR-178064 at 5 Seconds 

Environment: Perfect FDI, Travel limits of CR-178064 

1.2.3 Maneuver : None 

Failure: Stabilator runaway of CR-178064 at 5 Seconds 

Environment: Real FDI, Travel limits of CR-178064 

(Continued) 
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TABLE 5-1. ORIGINAL TEST PLAN (Continued) 


Test Set 2 (Correctly Isolated Aircraft-Path Failures) 

2.1.1 Maneuver: Climbing Turn at 10 Seconds 

Failure: 100% missing left aileron at 5 seconds 

Environment: No FDI or Recon 

2.1 .2 Maneuver: Climbing Turn at 10 Seconds 

Failure: 100% missing left aileron at 5 seconds 

Environment: Real FDI 

2.2.1 Maneuver: Climbing Turn at 10 Seconds 

Failure: 100% missing rudder at 5 seconds 

Environment: No FDI or Recon 

2.2.2 Maneuver: Climbing Turn at 10 Seconds 

Failure: 100% missing rudder at 5 seconds 

Environment: Real FDI 

Test Set 3 (Imperfectly Isolated Aircraft-Path Failures) 
Small Ambiguity Group (LE/LS) 


3.1.1 

Maneuver: 

Climbing Turn at 10 Seconds 



Failure: 

100% missing left stabilator at 5 

seconds 


Environment: 

No FDI 


3.1.2 

Maneuver: 

Climbing Turn at 10 Seconds 



Failure: 

100% missing left stabilator at 5 

seconds 


Environment : 

Real FDI 



(Continued) 
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TABLE 5-1. ORIGINAL TEST PLAN (Continued) 


Large 

Ambiguity Group 

(LE, LS, RE, RS) 




3.2.1 

Maneuver: 

Climbing Turn at 

10 Seconds 




Failure : 

100% missing left 

elevator at 

5 

seconds 


Environment : 

No FDI 




3.2.2 

Maneuver: 

Climbing Turn at 

10 Seconds 




Failure : 

100% missing left 

elevator at 

5 

seconds 


Environment: 

Real FDI 





Test Set 4 (Aircraft-Path False Triggers) 


4.1.1 

Maneuver: 

Pitch Doublet at 10 

Seconds 


Failure: 

None 



Environment: 

No FDI 


4.1.2 

Maneuver: 

Pitch Doublet at 10 

Seconds 


Failure : 

None 



Environment: 

Real FDI 


4.2.1 

Maneuver: 

Roll Doublet at 10 

Seconds 


Failure: 

None 



Environment: 

No FDI 


4.2.2 

Maneuver: 

Roll Doublet at 10 

Seconds 


Failure: None 

Environment: Real FDI 


62 


batch operation on the CDC Cyber machine and to correct data and logical flaws 
in the RFCS design. 

It should be mentioned again that certain deficiencies in the compensator 
designs were known to exist (see subsection 3.1.2). The results presented 
here should therefore be used for comparison purposes only. Actual perfor- 
mance of the aircraft under both failed and unfailed conditions would be dif- 
ferent had these deficiencies been remedied. Nevertheless, the comparisons 
of performance made in this report are believed to be representative of the 
overall performance of the integrated res true turable flight control system. 

The rest of this section is organized by groups of simulation runs.- For 
each group, a brief discussion of the characteristics of each run and a com- 
parison of results is given. 

5.2.1 Baseline Maneuvers (R001 and R036) 

Appendix A defines the command profiles and shows the command response 
for these two runs. R001 uses the full FCS (i.e., nonstandard control action) 
and the original climbing turn maneuver (CT1) whle R036 uses the limited FCS 
(only standard control action and no integrators on pitch, bank or sideslip) 
and a new maneuver (CT4). 

Notes 

1. The aircraft response in R001 is similar to that of [1] despite 
the fact that the compensator was designed for a different oper- 
ating point. 

2. The effects of the nonminimal realization (used to handle windup 
in the integrators) is seen in the fact that the controls do not 
return to their trim values after the maneuver. 

3. The effects of the lack of sensor compensation is also seen in 
the high frequency actuator activity, although this does not 
affect the aircraft response. 


63 


4. The trim values used in the FCS are not correct* This is evi- 
denced in the calibrated airspeed response before the maneuver 
occurs. 

5. The altitude response for R036 is not very good (h is not zero 
in steady state). 

6. Bank and roll responses for R036 and R001 are similar, although 
R036 has a larger sideslip response. 

7. The aileron response for R036 is smaller than for R001. 

8. The speed response for R036 is slower than in R001, although 
a direct comparison is not possible since the maneuvers are 
different. 


DUAL STABILIZER RUNAWAY (R006, R025, R026) 

In each of these simulations, both left and right stabilizers ramp to 
their trailing-edge— up limit at 5 seconds* No maneuver is executed* The 
full FCS is used in each run* Run R006 has no reconfiguration, R025 executes 
the RFCS, and R026 executes the RFCS with a "perfect** FDI module (failure is 
detected at its onset time). 


Notes 

1* Run R006 exhibits severe departure from the nominal flight con- 
dition. Large phugoid oscillations are present for more than a 
minute after the failure time* The airspeed drops to a minimum 
of 137 fps (from a trim value of 289 fps), pitch angle reaches a 
maximum value of 40 degrees at about 15 seconds and 50 seconds, 
and the angle of attack reaches a maximum of 23.99 degrees (pos- 
sibly a simulation limit) several times. The elevator saturates 
fairly quickly in response to the positive pitching moment caused 
by the failure, but this is insufficient for recovery/stabilization 
of the aircraft. 

2. Run R025 exhibits superior recovery performance* This is believed 
to be largely due to the decrease in trim airspeed assigned by 
the RFCS. This causes the departure of the angle of attack to be 

arrested very quickly (6w/Su Au is used to cancel the w distur- 
bance due to the failure). The altitude response is the only 
response in this run that could be considered worse than R006 . 

In R025, airspeed drops only to a minimum of 184 fps, pitch angle 
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only reaches a maximum of 20 degrees and is nearly stabilized 
by 35 seconds (although some small phugoid oscillation or slow - 
departure may exist) and the angle of attack reaches a maximum of 
12-6 degrees at 24 seconds and is stabilized at about 10 degrees 
by 36 seconds. The elevator and throttle responses show the 
major control differences between this run and R006 - Throttle 
is immediately reduced when the failure is detected (as in [1] 
in order to achieve the lower trim airspeed, 

3. The failure is detected at 5-3 seconds (0,3 seconds after the 
runaway is initiated). New gains are computed at this time and 
at 32 seconds, when the aircraft-path FDI system triggers another 
redesign- This redesign is in response to an undetermined 
aircraft-path failure (LE, RE, or LA) that is declared because 

of the significant deviations of the aircraft from the operating 
point for which the FDI system was designed. The FDI results 
point to a software error In the implementation of the confusion 
set (see Section 4), however, the impact on aircraft performance 
is negligible (see note 4), The trim algorithm is executed 
almost every time step between 5.3 seconds and 8-5 seconds and 
never used again- This is due to the fact that the stabilizer 
runaway failure is implemented as a ramp at the actuator rate 
limit until the actuator reaches it position limit- The distur- 
bances change as the ramp progresses and the trim algorithm is 
executed in response to these changes. The trim is not executed 
once the disturbances stop changing (stabilizers at their limits), 

4. Run R026 looks nearly identical to R025 in all respects indi- 
cating that the effect of the small FDI delay is negligible- 


5-2-2 Left Stabilizer Runaway (R034 and R035) 

In both of these runs, the limited FCS is used. The failure occurs at 
the maneuver (CT1) time and is implemented by causing the left stabilizer to 
ramp to its limit- Run R034 does not utilize the RFCS and R035 uses the com- 
plete RFCS (real FDI) • 


Notes 

1- In R035, the FDI system detects and verifies the actuator fail- 
ure at 10-35 seconds (the failure and maneuver occur at 10-0 
seconds)- The trim algorithm is executed almost every time step 
between 10-35 and 12-45 seconds and then again at 34, 41, 47 and 
49 seconds- The initial calls to TRIM are due to the changing 
disturbances caused by the ramp failure. The others are due to 
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noise in the sensors used to estimate the disturbance. The trim 
algorithm employs 8 degrees of left spoiler deflection to coun- - 
teract the rolling moment due to the failure. 

2. The altitude response for R035 is actually better than the 
response with no failure (R036) . This is due to the fact that 
R036 utilizes a control law that is deficient in many ways as 
compared to the "basis-compensator” (i.e., the compensator 
resulting from computing new gains with no failure) . 

3. Comparing R034 and R035, we see that the altitude and bank angle 
responses are better with reconfiguration. The new trim airspeed 
is lowered by 26 fps for this case, which allows the maneuver 

to occur with, generally, smaller control deflections. R035 
utilizes differential elevator, aileron, and increased use of 
the remaining stabilizer to return the bank angle to zero after 
the maneuver. Run R034 is only able to return to a significantly 
nonzero bank angle. 

4. Run R034 has a surprisingly adequate recovery profile. The 
ailerons have sufficient authority to counteract the failure 
induced rolling moment, even without integrators on bank angle 
in the control law (see subsection 4.1). 

5. This case would be an interesting one to investigate with a 
piloted simulation with a minimal stability augmentation system 
as the nominal FCS* This is not atypical of commercial transport 
aircraft and would serve to demonstrate the true severity of 
this failure. 


5-2.3 Missing Aileron Failure (R032, RQ33, R013, and R014) 

Runs R032 and R033 utilized the limited FCS and no and full reconfigura- 
tion, respectively. Runs R013 and R014 utilized the full FCS with no and full 
reconfiguration, respectively. All runs were made with CT1. The failure is 
a 100 percent reduction in the effectiveness of a single aileron. 


Notes 

1. In R014 the FDI system detects and isolates the aircraft path 
failure at 11.5 seconds, 1.5 seconds after the maneuver occurs 
and .7 seconds after the trigger occurs. New gains are calcu- 
lated and no trim is necessary. 

2. In R014, both the pitch and the bank responses are virtually 
identical to the no-failure case (R001). 
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3. Pitch and bank responses for R013 are also indistinguishable 
from R001. This verifies the conclusion in [1] that independent- 
control of individual (left and right) control elements allows a 
properly designed FCS to possess much passive fault tolerance* 

4. Even with the limited FCS (R032) a substantial degree of passive 
fault tolerance is observed. The bank response is expected to 

be different than R013 and R014 due to the differences in control 
laws. It is still very close to the no-failure case. 

5. Improvements in R032 due to reconfiguration (seen in R033) are 
due to the fact that the basis-compensator is better than the 
limited FCS. The improved response, however, comes with in- 
creased use of some of the controls. This is due to the higher 
loop gains present in the basis-compensator. 

5.2.4 Stuck Rudder (R030 and R031) 

Runs R030 and R031 both use the limited FCS. The rudder was failed 
before the maneuver (CT1) occurred. Runs were made with the full FCS for 
this failure mode also; however, they are not discussed here (see [1] , results 
were essentially the same). For R031, the state limits used in the trim algo- 
rithm were modified to require zero sideslip in steady state. This was done 
to highlight the differences between the two runs. 


Notes 

1. In R031, the FDI system detects the actuator failure at 5.75 
seconds. The detection occurs before the maneuver because of 
the large rudder commands induced by sensor noise (the FCS 
deficiency helps detection in this case). Compensator redesign 
occurs immediately and, because the rudder failed off center 
(about 3 degrees), a new trim solution was obtained. The new 
trim includes substantial differential throttle as well as a 
few degrees of spoiler deflection. The noise associated with 
the rudder measurement causes enough change in the disturbance 
estimate to cause many retrimming operations throughout the run. 
A false trigger in the aircraft-path is subsequently identified 
as such at 18 seconds. 

2. In both R030 and R031, the rudder failure excites a dutch roll 
mode. This mode is less damped without reconfiguration because 
the baseline FCS is less damped than the basis-compensator. 
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3. The bank responses are hard to compare because of the differences 
between the baseline FCS and the basis-compensator* However, the 
sideslip angle retains an offset from zero (-2 degrees) after 
the maneuver that is eliminated by the trim algorithm in R031* 

4* The improvements to the altitude response when using the RFCS 
are attributable to the differences between the baseline FCS 
and the basis-compensator* 

5* There is less use of differential aileron in R031 due to the 

differential throttle and spoiler deflections caused by the trim 
algorithm. 

6. Comparison of runs R002 and R009 (real and perfect FDI for stuck- 
rudder failure using full FCS) shows no significant performance 
differences. 


5*2*5 Missing Stabilizer Failure (R017 and R018) 

Runs R017 and R018 both employed the full compensator and executed the 
CT1 maneuver. The failure was simulated by setting the left stabilizer effec- 
tiveness to zero before the maneuver (at t - 5 sec.). Run R017 did not uti- 
lize the RFCS and R018 implemented the full RFCS. 


Notes 

1. In R018, the FDI system detects and isolates a ”f ictitious" left 
horizontal tail failure at 6 seconds. Recall that the known 
indistinguishability of the left stabilizer and left elevator 
led us to the elimination of tests that would have tried to dis- 
tinguish these two failures. The FDI system therefore declares 
an undetermined failure (LS or LE) and new gains are derived. 

A false trigger of the left aileron occurs at 8 seconds and is 
subsequently identified as such (unknown cause). No other recon- 
figuration events take place after this. 

2. Both R017 and R018 have a small drop in altitude before the 
maneuver that is caused by the failure and is not present in the 
baseline (no-failure) case (R001). 

3. Differences between control responses for R017 and R018 are 
significant* Run R018 (with reconfiguration) uses less elevator 
and right stabilizer during the maneuver. Noticable but insig- 
nificant differences in the bank response between these runs is 
present. The same is true for the airspeed and pitch responses. 
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4. There is no substantial performance deterioration in either run 
as compared to the no failure case (R001) . 

OTHER RUNS 

Many other simulations were run including a missing-elevator failure, a 
missing-rudder failure, roll and pitch doublets with no failure (to examine 
FDI false alarm performance) and several runs with turbulence. The results of 
these runs all support the conclusions drawn in subsection 5.3 and Section 6. 

5.3 SUMMARY 

In this section we presented details of an RFCS design for a modified 
B-737 aircraft. This RFCS included functional elements to detect and isolate 
aircraft-path and actuator-path control element failures, to redesign the 
feedback compensator after a failure has been detected, and to retrim the 
aircraft when significant measurable disturbances are present. The RFCS did 
not include any function to estimate remaining control effectiveness or to 
estimate (rather than measure) significant disturbances. 

Extensive tests using NASA's nonlinear 6-DOF simulation were made. These 
tests were aimed at examining the impact of FDI delays and incomplete FDI 
decisions as well as examining the recovery capability of the compensator 
redesign and retrim algorithms. 

Although the tests are extensive, they do not represent a detailed exper- 
imental paradigm. Therefore, any conclusions drawn from these results should 
be separately verified. Also, several design deficiencies were present in 
the final RFCS due to a lack of available time to correct them. These defi- 
ciencies included: 1) a nonminimal FCS realization that was implemented in 

order to handle windup of the integrators, 2) no filtering of the sensor 
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measurements, 3) control weights for the compensator redesign algorithm orig- 
inated in [1], which used linear models of the aircraft at a different flight 
condition for tuning purposes, 4) the limited FCS was developed in a very 
ad hoc manner near the end of the project, and 5) the low bandwidth of the 
differential throttle loop used in [1] is still present in the full baseline 
compensator used in this study. 

A general summary of the results described in subsection 5.2 is now 
given. 

1. In general, the RFCS provided the most benefit during catastropic 
failures such as a runaway failure. The ret rim algorithm is 
believed responsible for this since It allows recovery methods 
that cannot be obtained in any other way. The use of changes in 
trim velocity appeared particularly useful for the runaway cases 
examined in this study. This was also observed in [1] and repre- 
sents a failure recovery solution that is contrary to traditional 
pilot training for these cases. 

2. RFCS performance was virtually indistinguishable in comparisons 
of real and perfect FDI cases. The FDI delays of up to several 
seconds for aircraft-path failures and up to 1 second for actu- 
ator path failures are therefore considered more than adequate. 

This was true for missing, stuck-at and runaway failures. 

3. The baseline control law was sufficiently robust to adequately 
compensate for stuck-at and totally missing failures. This was 
true for the full compensator (utilizing nonstandard control 
action for the B-737) and for the limited compensator (utilizing 
only, standard B-737 control action). In many cases, the effects 
of the failure were barely observable and in no case was the air- 
crafts maneuvering performance significantly affected. It is 
believed that the good low-frequency gains and the control of 
pitch and bank angles in both of the baseline compensators and 
the large stability margins of LQ designs are the major factors 
influencing this result. A further examination of the fault 
tolerant capabilities of other types of compensators (including 

a piloted simulation) would be very instructive. 

4. The method used to handle uncertainty about the failure identity 
(confusion set operations) could not be accurately evaluated 
because of some undetermined implementation errors. However, 
the simulations resulting in incorrect confusion sets did not 
show any significant performance degradation. This again sug- 
gests that the stability and performance robustness of the 
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basis-compensator is substantial (resulting in even good robust- 
ness for an incorrectly redesigned compensator). Other support “ 
for this includes lack of any significant effect due to aircraft- 
path false alarms. 

5. The more severe failures such as stabilizer runaways can cause 
enough of a departure from the nominal flight condition to 
generate aircraft-path false indications. This is due to the 
single-flight condition FDI design and the substantial modeling 
errors that are encountered during failure recovery. As men- 
tioned above, such false indications never significantly impacted 
aircraft performance. 

6. Some of the post-failure reconfigured responses to maneuver 
commands showed improvements over the no-failure response with 
the limited FCS. This is believed to be due to the deficiencies 
in the design of the limited FCS rather than the nonstandard 
control capability of the reconfigured FCS. 
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SECTION 6 


SUMMARY AND SUGGESTIONS FOR FUTURE WORK 


The purpose of this study was to examine the complementary capabilities 
of several restructurable flight control system (RFCS) concepts through the 
integration of these technologies into a complete system. Performance issues 
were addressed through a re-examination of RFCS functional requirements, and 
though a qualitative analysis of the design issues that, if properly addressed 
during integration, will lead to the highest possible degree of fault-tolerant 
performance. Software developed under previous phases of this contract and 
under NAS1-18004 was modified and integrated into a complete RFCS subroutine 
for NASA's B-737 simulation. The integration of these modules involved the 
development of methods for dealing with the mismatch between the outputs of 
the failure detection module and the input requirements of the automatic con- 
trol system redesign module. The performance of this demonstration system was 
examined through extensive simulation trials. 

A general summary of the simulation results was given in subsection 3.3. 
The following suggestions for future efforts are derived from these results, 
from a qualitative analysis of the potential capabilities of the demonstration 
system for other types of aircraft, and from some of the results in [1] . 

1. The two LQ designs for the FCS both exhibited a great deal of 

passive fault tolerance. This result was observed in [1] and 

was therefore expected for the FCS that utilized full indepen- 

dent control action (nonstandard for the B-737). However, the 
degree of fault tolerance of the "standard" FCS (an LQ design 


73 


RECEDING PAGE JBLANK KQT FtLM£Q 



utilizing only standard B-737 control action) was surprising. 

The use of pitch and bank angles as reference commands may -have _ 
been partially responsible for this result. A useful topic of 
future investigation would be the passive fault-tolerant capa- 
bilities of conventional and existing flight control systems and 
other FCS design methods. 

2. A further investigation of the utility of the compensator rede- 
sign methodology would be useful. In this project and in [1], 
very little performance improvements due to redesigned gains 
were observed. This is due to the substantial fault tolerance 
of the baseline controllers and the stability of the B-737 
aircraft. It is expected that compensator redesign would be 
more critical on unstable aircraft. 

3. In this study, we selected a desired post-failure operating 
point arbitrarily. The operating point selection problem is 
one that needs to be developed. This problem involves deciding 
on the use of nondynamic controls (flaps, gear, weight redistri- 
bution), relaxation of the "model validity constraints” in the 
trim algorithm, selection of standard trim inputs (like flight 
path and velocity), and pilot Interaction. The use of nondynamic 
controls in the trim algorithm may involve an extension of the 
quadratic optimization procedure to a mixed discrete-continuous 
procedure; branch-and-bound methods may be appropriate in this 
regard. Successive relaxation of model validity constraints is 

a powerful means of iteratively determining the best operating 
point. However, stability concerns need to be addressed in any 
such procedure. 

4. Pilot interaction with a RFCS needs to be addressed in other 
areas besides operating point selection. The reference commands 
in the LQ FCS are generated by the pilot and, if the RFCS works 
well, would make the failure invisible to the pilot. If the 
pilot were allowed to select reconfiguration as an autopilot 
option, reconfiguration transients could be significant. The 
pilot -reactions to such transients could have a large impact on 
failure recovery performance. 

5. The logic of the RFCS system developed for this project is rela- 
tively straightforward. However, as FDI capabilities expand to 
include sensor and other equipment, more complex logic will be 
needed. It is possible that the use of a rule-based system for 
managing the potential variety of operational states would be 
effective. 

6. An extension to the trim algorithm that incorporates known aero- 
dynamic nonlinearities would be useful. In special cases (e.g., 
invertible control nonlinearities that appear identically in all 
axes) the extension may be straightforward. 
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7. While this study dealt with control element failures, it is 
likely that some failures of interest will include changes "to 
the aircraft aerodynamics (e.g., partial loss of a horizontal 
vertical stabilizer or partial wing loss). The ARM can handle 
these cases when new linear models are available, but the devel 
opment of such models is more difficult in these failure cases. 
Estimation methods and the effectiveness of the ARM in dealing 
with aerodynamic changes should be investigated. 

8. The compensator redesign algorithm is based on the LQ method, 
which requires full-state feedback. Methods that require only 
output feedback would be of interest in further investigations. 
The capabilities of the trim algorithm would also be affected 
by the use of output feedback. 

9. Performance issues in integration were discussed. Analytic 
methods for addressing these issues are highly important in 
developing early confidence in any RFCS design program, and 
would be a useful future effort. 
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APPENDIX A 


RESPONSE DATA FOR IMPORTANT SIMULATION TRIALS 


CONTENTS 

A. 1 COMMAND PROFILES A-2 

A. 2 UNFAILED CLIMBING TURN RESPONSES (R001, R036) A-3 

A. 3 DUAL STABILIZER RUNAWAY FAILURE (R006, R025, R026) A-ll 

A. 4 SINGLE RIGHT STABILIZER RUNAWAY FAILURE (R034, R035) A-23 

A. 5 MISSING LEFT AILERON FAILURE (R032, R033) A-31 

A. 6 STUCK RUDDER FAILURE (R030, R031) A-39 

A. 7 MISSING LEFT STABILIZER FAILURE (R017, R018) A-47 
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Figure A. 1-1. Original Climbing Turn (CT1) 
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Figure A.l— 2. Modified Climbing Turn (CT4) 
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2. R036, CT4, No Failure, Limited FCS 
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Figure A. 3-1. R006, Full FCS, No Reconfiguration (Continued) 
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Figure A.3-2. R025, Full FCS, Reconfiguration, Real FDI (Continued) 
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Figure A. 3-2. R025, Full FCS, Reconfiguration, Real FDI (Continued) 
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, Full FCS, Reconfiguration, Real FDI (Concluded) 
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Figure A. 3 3. R026, Full FCS, Reconfiguration, Perfect FDI (Continued) 
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A. 4 SINGLE RIGHT STABILIZER RUNAWAY 




Figure A. 4-1. R034, CT4, Limited FCS, No Reconfiguration 
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Figure A. 4-1. R034, CT4 , Limited FCS, No Reconfiguration (Continued) 
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Figure A. 4-2. R035, 








A. 5 MISSING LEFT AILERON FAILURE 
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Limited FCS, No Reconfiguration (Continued) 
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Figure A.5-2. R033, CT1, Limited FCS, Full Reconfiguration (Continued) 
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A. 6 STUCK RUDDER FAILURE 
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Figure A. 6-1 • R030, CTI, Limited FCS, No Reconfiguration 
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Figure A. 6-1. R030, CT1, Limited FCS, No Reconfiguration (Continued) 
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Figure A«6-l« R030, CT1, Limited FCS, No Reconfiguration (Continued) 
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Figure A-6-2, R031 , CT1 , Limited FCS, Full Reconfiguration 
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Figure A. 6-2. R031, CT1, Limited FCS, Full Reconfiguration (Continued) 
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Figure A. 7-1. R017, CT1, Full FCS, No Reconfiguration (Continued) 
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